Skip to content

Commit 0dca931

Browse files
vlsivlsi
committed
chore: remove commons-codec dependency from sigstore-java
commons-codec might still be used as a transitive, however, the base code should not rely on commons. Signed-off-by: Vladimir Sitnikov <[email protected]>
1 parent c7a516b commit 0dca931

File tree

2 files changed

+7
-3
lines changed

2 files changed

+7
-3
lines changed

sigstore-cli/src/main/java/dev/sigstore/cli/Verify.java

Lines changed: 3 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -18,6 +18,7 @@
1818
import static com.google.common.io.Files.asByteSource;
1919

2020
import com.google.common.hash.Hashing;
21+
import com.google.common.io.BaseEncoding;
2122
import dev.sigstore.KeylessVerifier;
2223
import dev.sigstore.TrustedRootProvider;
2324
import dev.sigstore.VerificationOptions;
@@ -30,7 +31,6 @@
3031
import java.nio.charset.StandardCharsets;
3132
import java.nio.file.Path;
3233
import java.util.concurrent.Callable;
33-
import org.apache.commons.codec.binary.Hex;
3434
import picocli.CommandLine.ArgGroup;
3535
import picocli.CommandLine.Command;
3636
import picocli.CommandLine.Option;
@@ -117,7 +117,8 @@ static class Policy {
117117
public Integer call() throws Exception {
118118
byte[] digest;
119119
if (artifact.startsWith(SHA256_PREFIX)) {
120-
digest = Hex.decodeHex(artifact.substring(SHA256_PREFIX.length()));
120+
digest =
121+
BaseEncoding.base16().ignoreCase().decode(artifact.substring(SHA256_PREFIX.length()));
121122
} else {
122123
if (workingDirectory != null) {
123124
artifact = workingDirectory.resolve(artifact).toString();

sigstore-java/build.gradle.kts

Lines changed: 4 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -11,6 +11,10 @@ plugins {
1111
description = "A Java client for signing and verifying using Sigstore"
1212

1313
dependencies {
14+
constraints {
15+
// Just in case third-party dependencies use it
16+
implementation("commons-codec:commons-codec:1.20.0")
17+
}
1418
compileOnly("org.immutables:gson:2.10.1")
1519
compileOnly("org.immutables:value-annotations:2.10.1")
1620
annotationProcessor("org.immutables:value:2.10.1")
@@ -34,7 +38,6 @@ dependencies {
3438
runtimeOnly("io.grpc:grpc-netty-shaded")
3539
compileOnly("org.apache.tomcat:annotations-api:6.0.53") // java 9+ only
3640

37-
implementation("commons-codec:commons-codec:1.18.0")
3841
implementation("com.google.code.gson:gson:2.13.2")
3942
implementation("org.bouncycastle:bcutil-jdk18on:1.82")
4043
implementation("org.bouncycastle:bcpkix-jdk18on:1.82")

0 commit comments

Comments
 (0)